HELP BLOG

Whats new in BlackBerry UEM Cloud

Security

iOS app integrity check: Caution: Use this feature in a beta environment only.

You can use the iOS app integrity check framework to check the integrity of iOS work apps that have been published to the App Store. This feature uses Apple DeviceCheck and other methods to provide a way to identify that your app is running on a valid Apple device and that the app is published by the specified Apple Team ID. For more information on Apple DeviceCheck, see the information from Apple. This setting applies only to devices running iOS 11 and later. Activation of BlackBerry Dynamics apps that were built using BlackBerry Dynamics SDK for iOS version 5.0 or earlier will fail if you enable the ‘Perform app integrity check on BlackBerry Dynamics app activation’ option in the activation profile and if you add those apps for iOS app integrity check. If a BlackBerry Dynamics app that was built using BlackBerry Dynamics SDK for iOS version 5.0 or earlier is already activated, and you select the 'Perform periodic app integrity checks' option in the Activation profile, the app will fail the periodic attestation check and the device will be subject to the enforcement action specified in the compliance profile that is assigned to the user.

Note: You cannot enable the iOS app integrity checking on enterprise apps that your organization has developed and distributed internally using the Apple Enterprise Distribution program.

 

Management console

BlackBerry Dynamics Connectivity profile change: The Route All option has been replaced with a Default Route option in the BlackBerry Dynamics Connectivity profile allowing for more detailed control over how BlackBerry Dynamics apps built using the latest BlackBerry Dynamics SDK can connect to app servers. This allows you to configure rules to avoid double tunneling the UEM App Store and UEM hosted application push.

 

BlackBerry Dynamics access keys: You can now generate BlackBerry Dynamics access keys for users that do not have an email address.

 

Whitelist antivirus vendors for Windows devices: In the compliance profile, in the “Antivirus status” rule for Windows devices, you can now choose to allow antivirus software from any vendor, or allow only those that you added to the “Allowed antivirus vendors” list. The rule will be enforced if a device has antivirus software enabled from any vendor that is not whitelisted.

 

User credential profiles support using Entrust for BlackBerry Dynamics apps: You can now use your Entrust PKI connection to enroll certificates for BlackBerry Dynamics apps using the User credential profile.

 

Compliance violation reporting: When a device is out of compliance, violations and any applicable actions display on the device summary page. To see which apps are in a noncompliant state, click on the ‘View noncompliant apps’ link. A device with performance alerts or compliance violations is flagged with a caution icon. Types of violations that are reported include:

  • Rooted OS or failed attestation (Android only)
  • SafetyNet attestation failure (Android only)
  • Jailbroken OS (iOS only)
  • Restricted OS version is installed (iOS, Android, macOS, Windows)
  • Restricted device model detected (iOS, Android, macOS, Windows)
  • BlackBerry Dynamics library version verification  (iOS, Android, macOS, Windows)
  • BlackBerry Dynamics apps connectivity verification (iOS, Android, macOS, Windows)
  • Antivirus status (Windows only)

In the management console, you can filter on any of the compliance rules when they occur.

 

Device compliance report: On the dashboard, the device compliance report now indicates if either the BlackBerry UEM Client or a BlackBerry Dynamics app is out of compliance.

 

Device report update: The device report now includes the BlackBerry Dynamics compliance rule status.

 

Automatic device and OS metadata updates: If a user activates a device with a model or OS version that is unknown to BlackBerry UEM, UEM automatically adds the new device or version metadata to the UEM database so that the metadata is available for Activation, Compliance, and Device SR profiles.

 

Enable Android keyboard restricted mode: You can now use the ‘Enable Android keyboard restricted mode’ option in a BlackBerry Dynamics profile to force custom keyboards into incognito mode.

 

Shared device groups: Migration is not supported for shared device groups. Users who belong to a shared device group do not appear in the Migrate users list. Devices that are part of a shared device group do not appear in the Migrate devices list.

 

New Event Notifications: BlackBerry UEM can now email event notifications to administrators for the following events:

  • iOS VPP account expiry
  • DEP token expiry
  • IT policy pack updated
  • Metadata updated

 

Activation

Activate Android Enterprise devices without adding a Google account: Administrators now have the option to allow Android Enterprise devices to be activated without adding a Google Play account to the workspace. You might use this option if you do not want to use Google Play to manage work apps on Android Enterprise devices or you want to activate and use the device without accessing Google services. In the activation profile, you specify whether to add Google Play to the workspace for Android Enterprise devices. By default, the activation profile adds the Google account to the work space and Google Play manages the apps. If you do not add a Google account, apps and app configurations are managed through the BlackBerry UEM infrastructure using the BlackBerry UEM Client.

 

BlackBerry UEM now includes Work and personal – full control activations for Android Enterprise devices: This activation type is for devices running Android 8 and later. It lets you manage the entire device. It creates a work profile on the device that separates work and personal data but allows your organization to maintain full control over the device and wipe all data from the device. Data in both the work and personal profiles is protected using encryption and a method of authentication such as a password. This activation type supports the  of device activity (SMS, MMS, and phone calls) in BlackBerry UEM log files.

To activate a device with Work and personal – full control, the user must wipe the device and start the activation in the same way as Work space only activations.

To enable BlackBerry Secure Connect Plus KNOX Platform for Enterprise support, you must select the "When activating Android Enterprise devices, enable premium UEM functionality such as BlackBerry Secure Connect Plus" option in the activation profile.

When you apply IT policy rules to Android Enterprise devices with Work and personal – full control activations, the different rule categories affect different profiles on the device:

  • Global rules apply to the entire device.
  • Work profile rules apply to apps and data in the work profile.
  • Personal profile rules apply to apps and data in the personal profile.

For example, to apply password requirements to unlock the device, use the Global password rules. To apply password requirements only to the work profile, use the Work profile password rules. To prevent screen capture only of work data, deselect the Work profile “Allow screen capture” rule and select the Personal profile “Allow screen capture” rule. To prevent screen capture of both work and personal data, deselect the Personal profile “Allow screen capture” rule.

 

Windows 10 Modern Management

  • Support for Azure Active Directory Join: BlackBerry UEM now supports Azure Active Directory Join which allows a simplified MDM enrollment process for Windows 10 devices. Users can enroll their devices with UEM using their Azure Active Directory username and password.
  • Windows Autopilot support: Azure Active Directory Join is also required to support Windows AutoPilot, which allows Windows 10 devices to be automatically activated with UEM during the Windows 10 out-of-box setup experience. Note: To enable automatic MDM enrollment with BlackBerry UEM during the Windows 10 out-of box setup, a UEM certificate must be installed on the device.

 

Microsoft Azure Cloud

Create an enterprise endpoint in Microsoft Azure Cloud: You can manage and deploy Intune-managed apps from the BlackBerry UEM management console when your environment is configured for Modern authentication.

 

BlackBerry Dynamics

Add public app source files as internal apps: You can now add BlackBerry Dynamics app source files from the public app stores as internal apps so that users can install the apps without connecting to the stores.

 

Link to specific apps: You can now send users a link or QR code that links directly to the app details page for specific BlackBerry Dynamics  apps.

 

Enhancements for certificate enrollment using app-based PKI solutions: BlackBerry UEM has simplified certificate enrollment process for app-based PKI solutions such as Purebred. To use app-based certificates with BlackBerry Dynamics apps, the "Allow BlackBerry Dynamics apps to use certificate, SCEP profiles, and user credential profiles" check box no longer needs to be selected in the BlackBerry UEM Client.

 

BlackBerry Connectivity

BlackBerry Connectivity app updates: The BlackBerry Connectivity app (version 1.18.0.811) for Samsung KNOX Workspace and Android Enterprise devices does not include fixes or improvements, but is upversioned so that administrators can assign and update the app on devices. If enterprise connectivity is required, you are now required to use the BlackBerry UEM administrator console to add the BlackBerry Connectivity app as an internal app and assign it (with a Required disposition) to Samsung KNOX Workspace and Android Enterprise devices that don't have access to Google Play. For more information, visit support.blackberry.com/ community to read article 37299.

 

Logging

Trace  option removed: The option to set  level to Trace has been removed from Service  override. You can set  level to Info, Error, Warning, or Debug.

BlackBerry Proxy Service: Component level is now available for BlackBerry Proxy Service. You can enable  for BlackBerry Proxy Service on the Server group and BlackBerry Connectivity Node default settings pages. 

Colin Fullerton

About Colin Fullerton